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Inipirad by aconerrw indusir)' problem we conR)der ibe 'npal synJheitt problero tai hytnd syslems: 
gives a bybnd »y«Ceoi ihu is sab^eci la input frooi outside (also called daiu/iMinit o nouek And 
an ijiput sequence that steen Use system lo the desired posicoodiDon. In this paper we focus oo 
sii/npUd tLiia s\mms —»ysiecn& m wiueb a diguoi coocruUeriaCcrTDpts o physical plaol io a penodic 
manner, a class comoionly Ijiown in coooul iheory—nod funhemGre aseume that a cootroUer is 
grvea in the form of an imperairve program We develop a scmcrund approach lo lapuc synibesis 
Ihoi features forward and backward teasotuog io pntgrvin logk for the purpose of redudag a search 
spoce AIttough ihe euimples we cover ore Itmiled both to aod io slructure, experiments wiib a 
prototype loiplemeniodon suggest poienoal of am program logic based approach. 


1 Iniroduciion 


C\'ber~pH\siLed systems tCFS \—miegiauon of digilai conirol wilb physical environmenla—are gainiog 
yet more and more unpommee, wiib cars, airplanes and all others controlled by computers. Hybrid 
s\stems capture one of the crtiaal aapecu of CPS, by focusing un ilie combinatiun of coniinuoui /Tow 
dyoomiLM and diicreic jump dynamics. Quality assurance of hybnd systems is therefore a big concern in 
ioduitiy as well as in academia. 

In ibo; paper we study ibe input synthesis problem of hybrid systems: given a hybnd system that 
IS subject to input from outside (also commonly called disturbance or notse), we aim to find an input 
sequence that steers the system to the desired postcondition. Our interest in input synthesis stems from 
the following concrete problem: it wa.s provided by our research partner in car manufacturing industry 
sa a prototype of the problems they often encounter in their design process. 

EiuDiple 1 . 1 . In the system below in Fig [T] the controller interrupts the plant (a carl once every second 
and manages the velocity i' of the car. The controller chooses one mode and the plant operates in that 
mode for one second, after which the value of v is fed back to the controller via the sensor. The problem 
is to come up with an initial state of the whole system together with an input sequence in- - • ( 999 , such 
that 

« (precondition) the initial stale satisfies ent = t) and 4 G [^0 1,0 IJ; and 

« (postcondition) after 1000 seconds, the system saiishescnt = 100 . 

Tlie input synthesis problem can arise ui many different cuatenis in quality assurance of hybrid 
sy^ems. One example it testing', the desired postcondition is the trigger fur sume couniermeasure (e.g. 
a fuse) against certain extremity {the countermeasure is outside the model); and we seek for input ().e. 
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Figure 1; A l^bfid system 
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i le.n ca&e) ibai drives the sysiem 10 octivdiijig ihe coufiiermeoiiire The lapui sequence ihus discovered 
in ihe niuJel con be Ted u> ihe physictil realizatiun of die syuetn 10 see if die couniernieu»ure work$ 
pcuperly. 

T1iL« paper cuninbuies on alguridim fur solving die inpiti syoihesis problem, (b ooveliy is ihe use of 
prugram logic: we make ibe moil of the suvctures expressed in (be digiud coatroller given in die form 
of a progriun. (n face. <1 bkcly human effon for die problem la Example [Tj] i3' 

!•) *Torihe sysiem (o have ent = 100 a( time k = 1000, die Boolean value a, musi be true 
from i = 900 through k = 999. and . 

(his is nothing bui reasoning in program logic and is included in our prupsMed aligiriihm. 

More specifically, we resuici our anendun (o a clasis of hybrid systems commonly called iomp/rJ 
Jala sysifTJit One sucii system consists of a physical plant, a digital 1 oniroUei ihai periodically iniemipis 
(be plant <for simplicity we assume a fixed interval), and a sensor that feeds the state of ibe plant hack 10 
(he coatroller. This strucrural assumption—resiriciive yet realistic—allows us to think of the behaviors 
of such systems quite much as the semantics of programs, and enables forward and backward reasoning 
In program logic. In our algorithm for solving the input synthesis problem, reasoning m program logic 
(like the above (•)) contnbuies to tbe reduction of the search space. Indeed our prototype impleoientotioo 
succe^fiilly solves the problem in Example [TTTl 

Retailed Work Tbe closest to the current work is one by Zuishi, Sankaranarayanan and Tiwari p7| . 
where they verify safety properties of sampled data systems. Theu model is more expressive, in dial 
a plan! can autonomously change ns modes without imeiruptioo by a controller While their goal is 
mtciiubiliiy analysis and is dllTereni from the curreai paper's, their relational abstraction technique can 
be useful in our algorithm, too, in particular for die forward approxireaiioo phase 

SMT-solver based approaches |^[S| to hybrid sysiem analysis are related, too, cspeciully in their 
emphases on discrete jump dynamics rather than continuous flow. Their effectiviiy in the input synthesis 
problem is not yet clear, (houghi the only available implementation (that of dReal 0) returned 'unsat' 
to Ex ample [T^ 

More generally, on important feature of our modeling is that a digital controller is given In the form 
of a program, unlike an automaton used in a majonty of existing work (including flSpT)). The contrast 
is comparable to the difference between the iheorem pnn'ing (or t)pe~bai^d) approach and lojiwart 
mode! checking in program venficaiion While there have bees results that suggest these two 

approaches ore equivalent on a fundamental level, differences do remain especially in applicadons. In 
our proposed algorithm it is on advantage that we can exploit nch structural information ihui is explicit 
la a program in inferring impossibility (false > more quickly. 
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T1)e buckward search pH»i^ of our uigunthni rtfsembles a membenhip ^un/roir jJdrtfiised in (he 
geauiul work by AJur et ol. Since our pl4i0i ifluw) dynamics i& ooc necessarily bncar. ii U not 
niky to kCtf how the results in ^ can be used in our problem. They could ae\'enheless be itpplied lu 
meia-properiies of the problem such as complexity. 

Fainekos and his colleagues have developed several techniques for analyzing rvbustness of hybrid 
systeroii. Among them is a tool called S-Toliru 0: it searches for a irajeciury by upiimizatiun dial relies 
on the continuous oaiure of the system dynasiics. It is possible to encode the input synthesis problem 
into an input to S-Taliro. However our leading example (Example [TT) . cpf a jump-heavy nature, seems 
to fall out of the tool's focus (it timed oui with a smaller proble m of IS, ooi 1000, time units > 

Se\'eral lechniques for testing hybrid systems have been proposed Although they 

synthesize le.n cases and therefore seem similar to what we do here, their goal is to meet certain coverage 
criteria (»uch as star discrepancy m (^) and not to come up with input that steeni the »ysiem to a specific 
dBAired postcondition. 

The current work is on logicul analysis of hybrid systenui: and in that respect it is close to Plaizer's 
recent series of work (see e.g, where dynamic logic is eriended in a sysiemadc way so that it 
encompasses continuous dynamics too. Also related is the work by some of ibe author.^ wherei 

flow is turned into jump with die help of nvmiunJard unulysts: and (diicreie) program logic is applied 
as It is 10 hybrid sysiems. 


Future Work In this paper we applied program logic to die specific problem of mpui synthesis. Wc 
believe the technique have a greater potential and plan to look at other applications. 

The curreni implemeniaiion can only handle continuous plants of dimension 1. (is eitension lo 
larger dimensions seems feasible. Specifically, the forward appros:imation phase of our algorithm will 
be unproblematic, while in the backward search phase we will have to give up compleieness. 

Currently our modeling of a sampled data system has a fixed clock cycle (i does not seem hard lo 
accommodate variable ioiervala; such extension as well as us use is a topic of our future work. 

Our modeling benefits a lot from die assumption ibai the controller communicates with the plan! and 
the sensor using finite datatypes. Some hybrid systems do call for relaxation of this assumption in tlieir 
modelmgi it is our future work to see how the current input synihesu; algorithm carries over to sucb 
relaxation. 


Orettnizallcm of the Paper In iQwe inucduce our modeling of sampled data systems and formalize 
the input synthesis problem. In ^we describe our algorithm, explaining its three phases one by one. 
lo iQour implementation is described, together with the experimental results. The proofs are deferred to 
the appendix. 


Ackuouledgments We are grateful to the reviewers of an earlier version for their useful commeou and 
suggesiioiu. T.A. and (.H. are supported by Oranis-m-Aid for Young Scientists (A) No. 246B000I, and 
by Aihora Innovadve Madiemaucal Modeling Project, FIRST Program. JSPS/CSTPi K.S is supported 
by Granis-m-Aid for Young Scientists <B> No. 70633d92 and The Hakubi Preset of Kyouj University. 


Noiailoas* R is the sei of real numbers: 5 = {a.lf} is the set of Boolean values. We let /[xa •-» 
denote funoiun update: it carries xo to yo and acts as / on the other input. 
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2 Mudeling Sampled Data Systems 

2.1 Oveniew 

Sampled data systems are a of bybnd &y&ieffls cmnmoaly known 
in coatrol iheoiy In ihuv syaeira a physical plani is inicmipieii by a 
digiul controller in a periodic manner (n the current paper where our 
iniemUi* are in input synthesis, it is convenient to explicitly separate 
the third component called a sentar The three components are then 
urganiied m a loop, a.s shown on the right m 

In the execution of sampled data systems r*mc modeled, we refer 
to the three stages in which the sensor, the controller, and the plant 
operates, respectively, as the sense, ihink, and At stages. Note that the 
sensor also takes input from outside the system. 

For simplificatiun we further assume the follow ing. 

1 A (digital) controller is wniien in on imperative programming language 

2 In the execution of a sai^led data system, the sense-ihink-aci loop is executed at hxed intervals— 
once every one second H 

The sense and control stages take no ume for their execution. 

4. The controller governs the plant by picking a mWr, Qrmn a hmte set {mi, ...mw}. In particular, 
the controller cannot feed ilie plant with a continuous value r. 

5. In the act stage the plant operates according to (the ODE associaied with) the mode m, picked by 
the controller. The act stage lasts for one second ta fact that follows fromj^ ond^ 

6 The data sent from the »ensor to the controller is finitely many Boolean values 

Wbile there are many actual systems that foil out of the realm of this modeling, it does cover fairly 
many—among which ore fixed interval digital controllers, a class of hybrid systems ub^uituus in indus¬ 
try. Sampled data systems. e«peaally under the above assumptions, come to exhibit pleasant structural 
properties' its behaviors ore much like those of programs and we c'on apply forward and backward rea¬ 
soning In program logic. Assumptions[2} ond^ ore common (see e.g. JTtI ) For example. Assumption 
is nKLSonable considering the speed of digital circuits and typical sensing intervals (d ^ 1ms). As- 
sumpiionsQ and^—that the controller communicates via finite datatypes—are essential in reducing the 
input synthesis problem to a search problem 

2.2 The I,4inguage 

We Sion with dehning on imperative progromoung language that is used to describe the {digital) 

controller of a sampled data system. It i» a standard one and is much like IMP in but lacks the 
shil a construct. It is indeed unrcalisiic to have vhila loops in real-time applications like cyber-pbysicol 
systems. Moreover, without vhile loops we can succinctly express weakest preconditions and strongest 
preconditions—the latter are fully exploited in our algorithm for input synthesis. 



'Tbk <liHk c>t;k be as aiDaraiy ruunber 0; le this pa|Ki wc umom a s t for nioiiliciTy 
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In IMPnri >1)^ sei Var Viiri i > Var, i > Var^ or variables 
)» divided inlQ three cla&ge^' ihe r^oiA, sense and At vari¬ 
ables. The distinction is for ihe purpose of communicating 
with ihe other two exponents i pLini and sensor) of a syoem. 

As we will see, a think variable x, C Var, stores a real num¬ 
ber (whicii will be a floating-poiai number in an actual imple- 
meniatioo); a sense variable x, C Var, represents a Boolean 
value sent from the sensor: and the (only) oci variable x^ in Var^ = {.r,} lolls the plant which mode ntr 
(be plant should m the coming interval. 

Defiailiun 2.1 (the language IMPc^K Let Modes = {mi,. ..mM} be a fixed fimte set of modes; VaTi 
be u countable sel of \htnk lorrobf rs: Var^ be a finiie set of sense \'dndbles: and Var, .= }. The syntax 

efIMPvif) is as follows. 

A£xp > a .‘Is r|jt|aiaapa2 antbmetic expr. 

BExp'' h :'= true I false |x, I O) rop02 I bi V&i I b) Aih Boolean expr 
CumI .1 c hB skip |4t:=o |xa :=m« |ri;r2 I if btbenc) else 02 commands 

Here r G R.mt ^ Model,xt C Vart- '1 Var,. anp 6 {+. andxop G 
Tbd semantics of IMPrirt is as usual, like in Q^. See Def. |A-1| for deioiU. 



2.3 Asi>ertioQs for IMPeeri 


We now introduce an assertion language for fMPfm. Its formulas are used to express pre- and posi- 
condiuoni in the lapui synthesis problem, as well as in program logic. The semantics of ihe first-order 
language Aasncoi ik u» usual See Def.|A.2 


DeOailiun 2.2 (the assertion language Aseocuil* b set Var' of “logical" variables sueb ibai Varn 

Var' 4 0. The dxsenion lunguugo Aseiicfft it defined as follows. 


AExp I) 

a 

:S3 

r*| Xt 1 r' 143) aop 02 

onibmeiic expressions 

MExp ri 

m 


m, |i, 

mode expressionx 

Fnd T' 



true 1 false | x, | U| rap a; | m = nr | * 1 * 1 * | 
4>, vOj 1 4>, A<S>: 1 Vv' G 

formulas 


Here r 6 DL oi, G Modes, .r,'! Var^. x, c. Var,. and i' C Var'. Intuitively, o G E lx a vaJuuiion (hut 
depends on the state of a sampled data system: and y G is another valuation of (logical) variables 
in Asuicoi 


2.4 CalcoJj for Weokcsl Preconditions ond Stroogesf PoilcnndiUniLs 

We inuvduce program logic for lMP(vi lo the form of a prenndtiion calnJtis tsee e.g PB|> 

and a Jt/on^^eir poitconduton calculus (see e.g. 0) The calculi will be exploited for the search space 
reduction in input synthesis. 

DcfiiiiUun 23 (weakest precondition wlr.^]; strougesi postcondition s|c,0]] ). Given c i; Crad of 
IMPc'irj and d* Fiul of Assdc'u). we define a furmiila w(( ,9] i; Fiul inductively on t 

wQakip.*] z , wlcjic^.^j z wQci.wgij.ODI , 

w^r, = €>[a/xt] , wjj4:=m,.^j z . (2j 

wQifbtbanci aUaci.O^ z (bAwgri.d*]]) V(*'bAw[[(2.0l) : 
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A furmubt &f( .4*] <; Fiul i» Jetined us foliow«, by induction 


sQakip.Oj 
sfr, ;=a.4>j 
=™..4>j 

&(if 6 then c I »l8€ C3s4>] 


C* . sBciHi.OD = slr2,»Ir|,*ll . 

3v'eR.(«[‘^/-clA*. = 4v'/^l) . 


(3) 


In uur implementation, Axea^'id is resiiicied to its proposiiiunoJ fraigiueni fur irociabiliiy. Tlie ^uon- 
(ifier in 0 i£ thus immediately eliminated using ibe ^uaoiifieT elimuiaiion mechaiusm in Matbenutiuo. 
The third line in 0 is essentially the some as the second: there we c<in dispense with a quantifier i since 
Modes — {ffl)... ,m.u} isa hoite set. 

Proposluoii 2.4. Fvr any tr $ I anJ ye R''*'’, 

/ (y^Taktst prp^amJutan) <S- y ^ w(t ,<P) tf and only N 4>.* 

2 I strvn^eit pvsti omitUnn) 0 , y ^ O r /and only if (o). y ^ sQr. 4>J. 


2.5 ModeUnii Sampled Duia Sysleou, FormnUy 

We preneni the formal definition of uur modeling of sampled data systems, under the assumptions in ^TT} 

DeOiiiUun 2.5 (sampled data system!. Let n be a natural number, and / r R^' be u hxed set called the 
inpui domtJin. An n-dimen.'dvnal sampled data tystem is a triple .9^ = (c.p.s) where' 

« I I* Ciitd IS a command of 1 MP(>|,| colled a vonirvlUr: 

. P = (x = p.,M)^. IS a family of (explicit, n-dimensiunal) ODEs indexed by Modes = 
(nij.called a plant: and 

• s ' R" X / -► is a function, called a aensar 

A x/ore of a sampled data system IS a pair ( 0 .x) of 0 andx€ R*. la a state fo.x), the component a 
Is culJcd itanindlcr siaielC-slafe), and x a plan} ’tale IF-slate). 

Tlie dimension n refers to that of the (continuous! plant, meaning thm x and x in the plant p = tx = 
(>.xi )^4 Mo6m are vectors in B". 

Exuniple 2.6 (count and bntke). In Rg.Qis a simplificotiun of Example this will be our running 
exiueple. The value v is ioiended to be the velocity of a car. 



Figure 2: A sampled data system (running e.xample) 

Tlie example follows a ponem of fixed interval controllers commonly used in industry Namely, a 
counter cnt is uned lo tell if extremity (i* f i > 1 ) has continued for a certain criticoJ number of intervals 
(2 here!. If cat reaches Ibe critical number a countermeasure is taken' the plant is set to tbe hraiiug 
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mode {Bek) uiJ the velociiy y decteascii. Otherwise il)e plant opcrucs in the accelerauon mode lAcl), 
whidi 1C a firsi-urder lag cy&tsffl where the v'elociiy m approaches towards 2 

The cysiem takes input i —whose domain is assumed tu be [-0.2.0.2]—ihai models disiurhonce from 
outside. For example, the road can be slippery, which cjo moke the actual velocity v difTereoi from the 
value that is used by the cuatroller. 

2.6 Scmoniics of Sampled Dal a Systems 

We formilly de/ine the semantics of a sampled data system. Our current concero is not so much on 
the Miluiiun of DDEs os on the interaction between a contniller and a plant. Tlierefore we adopt the 
following black-box view of a plant 

Deflnitloo 2.7 (e>«ePlant(p,x)). In what follows we assume that all the DDEs used fur a plant have 
unique nolutiocs. That is. for any n-dlmessiocal ODE .r = and on initial value ^ R", we 
assume that there exists a unique function F : [0,1] -> R* such that: F(0] = x^: and for any / C [0,1], 

Bye^ePlant(p,jo) we denote the state of the plant x = p{>.x) at time/ = I.assuming that the initial 
slate (at time i = 0> isxv. That le. execPlant(p.XD] = F( 11 where F is the functiun in the above. 

In our implemenutiun we actually use the result of numerical cokulatiuns (by MAJLAfi) as We 
value e<aePlant(/v,x), ignoring numerical errors. 

DcfiiiiUun 2.x {semantics of a sampled data systenu). Let ^ = (r.p.s) be a sampled data system. The 
one-s/ep rronri//&R IS a ternary relation -• among two states and input t C fi this is denoted 

by (ff.j) A fo'.x'). It is defined os follows. 

We have {g.x) A (o'.y) if {o', yj = {act^ o think » sense ) (o, i, c). where the three functions 
tire defined by: 

sense/* ' ExXx/—•ExX . (a,x./) —^ (o[xs—* s{x,l)(j»)]^) ; 

think/* ' ExJf , (a.x) —^ : (4) 

act/' ExX—fExX. (o,x) I—»(o,exe^larit(>7^lj,j,x)) . 

Here (c) is os in Def |A l| It is clear that given a stale (o.x) and i C A the po>>t-Htaie (o^.y) such 
ihaiio.x) A(o^x') IS uniquely determined A succession (oq.xq) -»{ff|,X)) ^ '** ^^{Or>*'r) 
uoe-siep transitioo is called a run of the system .y'. 

A specification of a stale of a sampled data system is given by o pair of on in^eriioc formula Ion We 
controller) and a subset of R” (on the plant). 

DcAniiloo 2.9 (CF-condilion). Let,^ = {c.p.i ) be on n-dlmessionol sampled data system. Acon/rv/fer- 
plum coruJitiun ICF-ioadslion) for is a pair (O.X) of on assertion rP ’1 Ful colled the conrrvllcr 
cumhiiun and a condition X C R' called the plum <.orhJlimn. The projection to each component is 
denoted by ;rc and itp respectively. 

Given a state (o,x) (• E x R" of .5^ and a CP-condition {<P.XL we write (o.x) ^ (O.X) 1/ ff ^ <P 
and X ^ X. l^.X) is sutinjfdble if there is a state that satisfies it. 


2.7 The Input Synthesis Probleiu fcir Sampled Dal a SysleoLs 
Defiiiiliun 2.10 (input synthesis problem). The input synihesis pmhUm iu 
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given; • .;/ = unn-Jimensionil sampled duiasysum: 

• and (♦fioaj.*f3«*i).» pre- and u pou-CP-condiDom anJ 

• r ^ N, d)e mimPer of &ieps, 

reium; • an iniiLil &ia(e ^Oe,^) € Ex S'sucbthdtfao.x) ^ (^mic.^nn); and 

• an input sequence a'a._/r.j € / iucft ilui, for die corresponding run (ob.Ai] ^ 

ia\.x)) ^OT^xTJ of.^. we have (or.jrJ h (^rai.^^firajl- 

E^uDiplel.!!. Lei ^ be ibe sampled dais system in Example |2.6| Con&ider 

d pre-CP-condiiion (ent=0, [OJ]} and a posi-CP-condiuon (tne. |I 2,2]} 

and T = 4 os die number of sieps. (n die input synthesis problem, we seek for an uudal stale (0()„rDj 
and an input sequence re. <1.13.1*1 € [-0,2»Q.2] sucbiboi 

(flb-Jb) N(cnt=0, [OJ]) . (<^,4o] «lli< (ffiJi) il**-and {true, [1^,2]} . 


3 An Al^orilhm for Input Synthesis fur Sampled Data Systems 

In this section we present our algorithm. We identi/y the core of the mpui synthesis problem to be the 
discovery of suitable input ood output of the cooiroller at each step. More spccifcally, we seek for a 
siivtexafiil path 

(Vmt := , (o-,"".-,"’') ) (5) 

where ; Vor^ •* B is a valuation of sense vanable.'i—which sQali be hence fotib called seninr oui~ 
pul —and a Modes is a modej^ Ibgether with on irtiiiaJ stale (Oq.xdJ, die sensor output o*,'' de- 

lemunes the behavior of die controller, and ihe moiJe deiennines that of the plant, ai each step L 
Therefore a path like in 0 determines the behavior of the whole sampled data system from step 0 through 
aiep T: a "successful' path is then one dial steers the given precondition to the given postconditiun. 

Towiirds the discovery of a successful path, our approach is lo exploit the program logic in §Z4j —le. 
lu make must of the structure of the controller as a program. In our modeling of sampled data systems 
i 10 we have made as.'^umptions so that the program-logic approach is possible 

Concretely, our algorithm coniisis of die following three phases. 

1 I Forward approxlroalloD) We overapproximate the set of CP-states that the system can reach, 
storting from the pre-CP-cond)don (4>inii.Xinitl and going forward step by step. This first phase is 
seen a.s a preparation for the second (main) phase. 

2 I Back word search) A successful path 0 will be a padi in a so-called havky-urJ teaivh tree. Its 

branching degree is 2 '^*'* x | Modes]; its nodes are labeled with CP-conditions: and its root is 
labeled witb the posi-CP-condition We search for a successful path in the tree, m o 

depth-drsi manner. 

I Synthesis of ociiul input) We choose an inidal slate and go on to synihesuie an input 

sequence fn.rr- 1 . using the successful path discovered indie previou.« phaiie. This can 

be done in a siraighifotward linear manner 

The second phase (backward search) is where an actual (depdi-fltsi) Hearuh is done. Prognun logic is 
used there to prune branciies and reduce the search space. 


ilyi np\» 14 rci'meJ lo Ci Ihii is purely for ihc purpaw of p)Vietiiuuo& 
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3.1 ForM’urd Apprnxiination 

In Ju» pnaw or ihe aI|;oriUim, we uverupprukiouie ihe behuviur or iKe given Mtfupled duia n^i^iem uiJ 
ofaLiio a sequence CP-condliions. These are obtained iiersiiveJy as follows. 

Notoiiun 3.1 Lei .9" = (c.^.r) be an rr-Jimennonal sampled duia system: I be iis iopui Joraain: 
ami 1 ^ C be sensor ouipiiL We abuse nuuilon ami denote by j ~ ’ (o',) the sei or pbni states thai can 
be'‘steered ''10 1 ^. Precisely, j*;= (jrg R" | 3i€/.r(*,/) = C/) . 

For example, lei such that i^(.rs) = o in ihe setting of E.xaniple| 2 ^ We have s* = {x C AT | 
a/€ (-0.2.0.2 ].j+i> 1} =[OB.e«). 

Detkoiliun 3^ 11 • FA. A- PA). Let y — (o, p.i) be a sampled dau system. Lei us ftrsi define ihe functions 
l-FAJJ^. 1-P'^ns 1 -FA*^ a> follows. Their types dioukl be obvious. 


l-FAS’^iik)(^.Ai 

l-FA52(mj(^ri 


= (six,),<►].Xna ‘(ft)) 
= (slc.^Pj.X) . 

= (OAXj =m.e*eePlant(p«,X)) 


16J 


Here slc.^] in the second line is ihe strongest pusicondiuon (DeF |2.3| : exeePlanljp<a.X) in die ihinl 
line is the direct image of X r R" by the funcuon m Def. |2 7[ and s(x, ;= 4>] in the first line is 

defined us follows, similarly to Def.jT^ 


st»* 4*0 


( (♦[x ni®/i,) V ♦If alse/x,)) Ai, If ft(x,) = true 

(♦(t ni®/i,) V ♦If alae/x,) ) A If ft(Xi) = f ala® 


These three functions are composed to yield: 


l-FA^(ft.ni)(O.X) := l-FAS;:(m)(l-FA« Jl-FAE^lftK^.X))) ; 


this IS understood us ihe strongest pusicondiiion aAer ilie one-step execution of y. tusNoirng ifint the 
sensor output ff, und the made m have been chosen. 

FutaHy, ilie one-step forwurd dppruxtmation Function is defined os the following diijunction/uniun 
uver differeai o', uod nr 

l-FA(O.X):= ( ) > 

where .if := ( ftr.m) >■ Modes 1 1 -FA®^Io„mH^.X) is satisfiable } 

(7) 

The projections Sc ^tnd iTp, us well as saiisfiabilUy of CP-condiiions, are from Def. [Z?| 

We write it-FAf^.X) For (l-FA)*(^.X). The sequence (i‘!-FA(^-j,h.Xioi,l)f|, 4 . j of CP-conditiuns is 
culled the fonxanJ apprvximanon sepuence for y. 

As un example we present forward approximation for Example [7717] The first one-step approxima- 
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(ion ((rum & = 0 (o 1 Us shown beluw. Huge by siufe. 


»e>M Oiir* Ki 

I • i» I • I 



41) 



3.2 Backward Search 


In this phdse of the nigurithm we search fur d iiuc- 
cttf fill pdih |c,, nr^ of sensor ouipui snd moijes— 
i.e. one thji siecrs an iruiiaJ suie to a Jesiml posi- 
condrLon The search i& conducted in a backward depih-firsi manner in a tree called the boi-knard^etJ^ 


Observe thai we have four CP-conditiuos in tbe fourth L*oluinn from ibe left Each of ibem corresponds 
10 a choice of I r^,/nj. Two among ihe four CP-con Jiiiuns ore unsatisfiable and hence Ji:u.arded (l.e. U^' 
ore DOi m, #): the remaining two are unified and yie Id l-PA(ent = 0 . [ 0.1 ]) in the rigbimo&t column |j 
5 y cuniinuing further we obuin the furwanl approximation sequence shown on the below u\ 0 . 
presented piciorially 

For the completeness of our algorithm we need 
to prove that our forward approximaiion is indeed 
an o>rr-appro>timaiioa. 


Proposition J.J. Lr/ la,.,.. 4 -1 € / be am inpai 
letfue/ne: ia,x) A bra run of .S'; 

aniJia.x] Then «/./) ^i-FAi<P.y). 

D 


tree 


For ihe input synthesis problem, it is noi necessary to consutici the whole backward search tree: find¬ 
ing a leaf whose CP-condiiion is compatible with the precondiuon suffices We will use program logic 
1 and the forward approximation sequence obtained in the previous phase—in pruning branches 
and reducing the search space. 


DeOiiiUun 3.4 (backward search ireek Given uo input synthesis problem, its lhifh\anJ searrh irve is a 
tree with branching degree 2 ^"*' x |Modeft| and with height T « 1 . The nodes of die tree are defined 
inductive (y as follows. 


« The root of ihe tree is labeled with the posicondjiion 

1 Our ufiViMifiuuun bWi be fiarr u is itae utufkauiia hs^.Uk lOftcbiiun Bnw«cri a C-bOeiliUoe uaJ u Pn;oa«iilitie 
u fargoimi by wparalely uLitig ibe Unjuadua of C-ioadiUoes aaJ ibe aasoti ul P^uadiUnes l wc Q l FiMr ajiproijiiuucu. 
bi>wi.>vrt aukes iba afipnuuouou grow muab bi^^raad slows duwa itae tefkwaitlMarcb pri,w« uf iIk dgurutaaL 
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• Let (O.X^) tte ihe label u the position _( 5 I 

ai thepwiiion {G'„m^{ 0 ^,in') is lubelsiib^ 




X ) := ( ;rc (*-FAX,„,J) a bc( 1 -BS^ftr,,m){0,X)), 

Bp (i-FA X,„J) n Bp (1-BS^{ ff„ m) {0,X))) . 

where the function 1-BS^ is defined as follows. 


child 


( 10 ) 




i-Bsr- 




( 11 ) 


= l-B^(a,)(l-BS«,(l-BSS(«")(«*-X))) wbe« 

= (OAjj =/B.e5<«Pl4nl(rev(p,),X)) . 

= (wlc'.<I>l.X) , and 

;= («(oi(x,)/x,].Xnr'(<^)) . 

In ihe second line, exec Plants rev(^aJ-<j) tneaiis runmng the ongiaaJ ODE.t= Aa(i.xJ with time 
reversed (i.e. from / = 1 10 r = 0 1 and wiib the ''initial'' value X| (ai time / = 1). Concrelely, rev{/7«) 
)S giv en by; w {p„) (f, x) = - ft, (1 - /. x). 

By BS we denote ihe label in the tree, at the posiuon Jesignaied by ihe path {gt,wi|. 

BS((S’ is therefore a CP-cooditioo. 

DeOaition 3.S (succeisful path). Let{(7„ni] be apaibinthe backward search tree. It is xvxrexs/uf if; 1) 
11 is of length T\ and 2> the bbel BS () ai the leaf is sausfiable. 

The following esubJi.thes that tbai finding a successful path in the backward search tree is ec|uivaleni 
to solving the input synthesis problem. 


Propoallioii 3,6 (soundness & completeness). Ut [a^.m] be u suc<'tssjuf path rn the hjcih* anl sean-ft 
tree. Abume also that On C L and xq € R” satisfy fob.xe) ^ BS{{^.m)). 7/een 'here exists on input 
setfuence !«>.'. . ij. 1 € 7 soefi 'hat an inittul state (Oq.xq) together vith iq, .,rr -1 ts an answer to the 
input synthesis prvblefn. 

Com'ersefy, assume there ts an onsn'ertoan input nnihesisproblem, given by {Gv.xp) and (u./r.|. 

Then there is 0 iiicvessfid path (0t,Qi ) □ 

In searching for a successful paib in u backward search tree, once we hit an uosatisfiable label, clearly 
all it^ ofispring are unsatisfi able. Vp^ therefore pitine such a branch The use of k~ PA in mrengthens 
tbe labels and makes more branches pruned. 

LcDuna 3.7 (pruning is correcll. In the ba<.tnarxl seanh tree, assume that the label at the position 
(O',, rn) IS unsaihfiahle. Then its vhiltl has an unsatis/rable label too. □ 

An example is again using Example [ZTTI Fig. [^describes details of one-step generation (from the 
root i(: = 4loA = 3)ofthe backward search uw. The rightmost is the root: the four leftmost nodes are 
the direci children of the root; and the iniensediaie layers are not present in the backward search tree but 
ore shown for illustration. Each of the four children corresponds to each po&'^ible choice of (^. m). The 
bottom two children are unsatisfiable—the intuition is that the plant's mode at time k = 3 cannot he Grk 
for the postcondition to hold. The search for a successful path will therefore be conunued from one of 
the two lop children. 

Presented m Fig.^is a more birdVeye view of the backward search iree; it shows one possible trace 
of the deptli-first search. It has found a successful path 


= ^(x*—* n.Acl), (x, -sff.Acl). (x, —stI.Brk), (x,-4 tAcl)) . 
lo the search shown in Fig.^ pruning has occurred at the nodes (N1HN3). 


(12) 
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oodibine rwd eppfb unta mink aa 

t . * . -1 



Figure 3: Geaemijon of ihe buckwiirJ se^irvli tree, iadeiiiil 

(•U *•! (>2 (•) *•* 



Figure 4: A bird’s-eye view of ihe bjckward search tree 


3.3 Syothesis of Acluai Inpul 

Tlie second phase gives us a successful path (t7,.m^;as discussed at ihe begmiiiog of this deiermiues 
the behuvior uf the whole seapled dau system. We now syaihesize an ac luai answer lo ilie input synthe¬ 
sis problem from ibe pjib ) Theoretically it u possible iProp. 3.6 : it is moreover compuiotiooaJly 

cbeup, usisg a CAS like Mathenutiica. 

We describe the procedure by example. Fur Example f^.lU the second phaseeives a successful puih 
in i 12 k from which we obtain a refinement of the pre-CP-condition B$((oi.0T;) = (cnt= 0, [0.8,1]) 

Ith^fimosi node in Fig.W _ , 

« K'hooslng ao Inlti^ state) By Prop |3.6|aoy (oo.vdJ such that (sn.it)} N BS(j(^,m|) admits a 
desired input sequence. Let us say 0t>(ei^ = 0 and I'o := 0.9. 


« I Running tbe pLuit) It is crucial that the behavior of the plant is completely determined now, given 
the initial P-state 10 and the sequence of modes ... . m' ^ } extracted from the 

lo the current example the plant dynamics is as follows; 0.9 —i 1.45 —i 0.95 —• 1.475 

‘ l«l Srk lil Scl 

I 7375 


« I Synthesis of Input) For each moment k- we now koow the pltuu state v'*' aod the sensor output 
C ilie latter is extracted from the path We choune input u so that it. combined 

with gives ilie sensor output as specified by 

Rjr example let us pick a. Now > 1?| = ff and i'"' = 0.95: we choose /a ^ / = 

[>0.2.0.2] so that i'‘~' f /• = 0,95 4 r 1 < I; say /• = 0. In implementation we let Ihe Fuidlimt aoce 
function of Maihemalica do Ibis jnb. 
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Overall, we obuin ihe followiag nm from iBe pre-CP-conJiiiun lo ihe poit-CP-kondjiion. Tlu^ give« on 
uiuwer {cnt ->» 0, v = 0,9) li» (1.1.45) ^ (2.0 95) ^ (0,1.475) ^(1.1.7375) lo Jk input ^ynihKis 
prufaleni m Example |2.1U 

4 Implementutiun, Optimisation and Experiments 

Our prototype unplemeoLiiion ha& a froni-eod wnuen ui OCaml which m parucular implemeou irtfer- 
races in program logit iDer.[T^. Maiherruiicti is uscJ for simplifying arithmetic fomulos and inequul- 
ities, u well as for picking a value under a ceruun a.'isuoiption. We obo lue MATLAB for nuneiiCtiJly 
solving ODEs. 

Our implemeniBiioa is cuirenily restricted lu one-JimensiunoJ plants {n = I). From time to time we 
have 10 calculate the evolutioo of on interval according an ODE (like execPlant(/v«..X) in ^ for a set 
X): such calculation li done by the method of 0. 

Optlniiutlon Teclutlques We funher employ the following techniques for speedup. We note ihiU the 
none of these affect correctness (Prop of our algorithm. 

« (Truncation cpf forward appruximalion) In the forward approximation phase, a problem is that 
on opproximont A-FA|<fr,„^,X,nic) can grow exponentially as k grows—as huited already in 
Such explosion of approximanis slows down not only the forward approximation phase, but also 
the backward search phase Moreover such a big approximoni tends not to contribute a lot to 
pruning branches. 

To avert this we truncate forward approximation under certain circumstances. Specndcully we 
stop calculating C-conditioos when the approximated C-condition has become compatible with 
any choice of modes—a sign of the C-condiuon no longer contributing to ptuning Currently such 
truncation is implemented only for C-cundiuonsi but it should also be possible for P-conditions, 
e g. by merging intervals in 0. 

« (Prioritization In ^arch) In the backward (depth-firsti search pha.ie, we can have multiple chil¬ 
dren from which to pick Besides randomized |^ks, we have the following prioritization strate¬ 
gies In the by-roiume prion/izaifon, we estimate the volume of the P-<ondition (ne. a region in 
R"! of each child, and pick one with the biggest In the by-rubusiness pnuiiiizaiiwL in contrast, 
we pick the child whose P-condition i>; the closest to tbe ''center" of the fotword-approxiraateJ 
P-eunditlon. In other words, the picked child is the one with a P-condibon that intersects with the 
fotword-approximated P-<ondition in the mosi n>husi manner This robustness-driven optimization 
IS much like in S-Taliro 

Expeelmeols We used Malheniatica 9 0.1 and MATLAB 3.1.0 (for Linux x86. 64-bil). on ThinkPad 
T530 with Intel Core i7-.t520M 2.90GH2 CPU with 3.70B memory'. 

Tlie first table below shows the result of our prototype implementation applied to the problem in 
Example [Z.llj with a varying number T of steps Ail the times ore in seconds. The rows correspond 
to different prioritization strategies, and whether truncation of forward approximation is enabled. For 
random prioniizatlon the experiment was repeated 50 times and the average ix shown, together witb the 
suimlurd deviation From the results we con see that forward approximation truncation ia very effective 
0 the problem becomes larger, on the one hand. On the other hand, no clear comparative iKivantage of 
any of the three prioritization strategies is observed 
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Tlie second ubie below presenu ihe breakdown of ixmo 4boch T = 100^ from the first utble. miu 
(he (hree phjses of ihe al^onihre. together wUh ihe number of backtracks m a search While trunctiiioo 
caiisek more backtracks (Jus i» because less informauon is passed to the backward search phase), we see 
(bai (he speed of boih of (he firs( two phases are greatly unproved thanks (o simpler approiUJiiants. 

We also applied our implcmeniaiiun to (he ociginaJ problem in Example fTT] I( successfully solved 
(he problem io 638 968 seconds. 

Overall, our e.tperinaenis so far are liralied to examples of a specific sii^cture' namely, a counter in 
(he coo(roller, mcremenied or reset lo 0 every second, causes the change of modes of the plaoL Tbix 
su^cturc however is a commonly used one in industry (see Example [T5) : and iis discrete nature iihe 
counter lakes an mteger value tbai can be fairly large) becomes a challenge in many approaches to 
venficaiion. lesung or upui synthesis. The experimental results seem (o suggest that our program logic 
based approach is promising in coping with ihis kind of challenges. 
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A Auxiliary Definitiuns and Lemmas 

DvAniiioo A.l LD IMPrut^* L be ihe »!(of i'aluunoni. thdi is, 

E = {0 : 3ar -* BuDuMddes | o^Vortl C Bl,0(Vart) C B,0(xa) € Modes} . (13) 

For eacb expression e of LMPcm, ihdr semuArtcs (e) u de/ioed la ibe following siioJcird way. For 
u ' AExp. QtfQ; E -/ S i» defined by 


lrfl(0) = r, • 0a)aopojl](0) = lail(0jaopjo2D(0) . 

For b C BExp. Qi]): E -» {n,ff} js defined by 

gf7)Vii2j(0) = V and similiiriy for «, a, true und false; 

^ Qai rap Ollier) = Qai]t0) rop (<u]](0) . 

For 4 Cmd. QtQ; E E is defined by 

gaklpB(0) = 0 . [it := oHoj = a[xt — BoU0}J . [x^ ;=injD(0) = 0(x» -^nit] . 

Here /pse denotes /unc niM update', ibe funeiioe f[x^ yo] mries xo to oad acts os / on We 
uWer input 

DeAoiiioo A-2 (seniontios of Assdfi,|i. We define the seauiniics of a c. AExp of Assiioji as a function 
[0] ;ExR'" -»R. 


8^Ilf<T»y) = r. - 

(I'D^ff.y) = y{v') . Daiaopa:ll0) = (tnJKff.yjaop(028(0.7) 

Rjr m C MExp, its seRisnijCk ik s function [ai]] : E « R^*'' • Modes defined by [lm,](0,7) = m, and 
(xsl](0»7) = 0{xa). Finally for formiJai, the semunucs of 4> <; Fial is given by the relaiiou ^ between 
E y. and Finl defined us follows. 0. y ^ true, 0, yK false, and 


0,y^Xa 
0 .y^aropr/ 


0 , y ^ m = 01 ' 

0 .y ^ v<>’ 

0,y^Vx/^R.^ & 


ail,) = 0 , 

Dal(0.y)topgi/J(0,y) . 

DmU0.r) = gWH0.y) . 

0,7 ^’t') or 0.7 ^ 4»2 {similarly for *• and A). 
0, y[*/ ^ O for any r G R {similarly for 3). 


We wnie 0^^if0,7^<I»for every 7 G R'’“^. 

Tbe next observuiion follows immediaiely from Def. |23| and |2.9| 

Lviiuna A.3. (^.X| is unsuinfiabfe if and vnly f/C* jx on umatisfi^le formula (f.e. logivoUy r^uji'ofenr 
/o falsa) or X =B. G 
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B Omitted Pruuts 


B.l Proof of Prop. P3| 

Lcouiii B.l. Lsf i (il. a andi S R*. Astume (o.x) ^ (♦. Jfl TTten. 


8efise(c..T,0 

aft(ff.x) 


1= 

1= l-FAS{oU.))(^.X) . 


thlok<o,j) ^ l*PAfrLj«>.X) 


(14) 


Proof. For sonse, ii ii easily khov^n iJm q[x, N •= ^ (•<»)• ^) by iiuluciion on <P. More- 

uvef.r 6Xni’‘(4(i.()) by NoLiiion[3j| Tberefore we have senseiff,x,0 ^ l-FAE.(j(<.x)){♦,>:), 


For think, ihe claim is obvious from Prop.| 

For act, we trivially have o ^ x, = aix,) Therefore 


^ (♦Ax, = o(i,).®<eeP(aftl(/»o<^,,X)) 

follows immediiuely fraoi ihe ussumptiuo. □ 

Proof. (Of Prop [O) (i is sufficieni lo show fur i = L the geneml case follows by induction. Lei r 6 /. 
Iff.x) A (</,V) be a run of .S'*, and (ff.x) ^ (♦.X). We need to show 

(ff'.x') ^ 1-FA(0.X) . 


Thill i» obvious because weobtuin the following from Le mnia. [B7T] 


□ 


B.l Proof of Prop. PI5| 

Lvouiiii BX The foUoning three properties holiL 


i<r.x}|=l-BSS(m)(4>.X) 


sens«(ff,x,(} ^ {^.X}JdrMjmei€l 
thlnk(ff,x) ^ (O.X) 
act(o,x) ^ lO.X) 


/ifijUovi that: if{a.x) ^ l-6S"'*(^.niJ{4>.X), then t fie re exist input < C ! mdu CP-xtate {a'.X)fvr 
whith wr have (ff,x) A fo'.x') and {a'.xf] ^ (♦•X) 

Proof. For sense, U follows from ihe assumption thai c ^ ♦[ffa(^)/i,] and a < 1 X Then 

we buve |o’[x, -m e^(xs)],xj ^ (♦.X). Moreover, since x ti there eusis some (i* I such that 

5{x,0 = For this chmee of <'we havesense(o.x.i) = {o(xs"^ ^(x,)).i). 

For think, we have a ^ iAi(r,0] end «>; X from the essumptiun. Therefore ((c']{ff),x] ^ (♦.Xj 

from Prop. [T3 

For acL we have 0 ^ ♦A \, =. m and x 1 * eaecPlant(rev(pfB),X) from the asHumption. Then we 
have 0 {XaJ = m. hence x C exeePiantirevtX|, dial is, x ix reached from ihe region X by running 
vviih lime reversed. From this ihe claim (c.e<eePlanl(p^,^^.i)) ^ {♦.X) follows. □ 

ProoL (Of Prop. [3^ For soondnes*. (irw we observe thai icjj.xo) ^ (’tSiac.-XnnL This is because 
BS((cr,.'mS) implies = D-FA(«^,yt.;4,r,) by Def. J.4 see in paiticulxr 

Stifling from (cti.xn). we can repeaiedly apply Lfta. [B J| id obiaio input ia,_I'r-i and CP-suues 

l 0 |.xi j. t Of. X 7 ) such that; (oq.xq) ^ ^^lOr.xrJiandlOi.x,! 


1^1)) 
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for eiu;h k € [0,7^. Then in paruculiir N ) where e denoies ihe empiy m- 

quence. Thui mean& ihdt( oq,jq) andqiuUfy ludo aobwer. 

For cumpleiencfs. lei {Oo.«i) ^ i Or 


B.3 Proof of Lem.BITl 

Proof. A&sume tOe node (O.X) ai ihe poiiiioo (^.m) ha.s iin luuaiisfioble bbeL Coo&iJer iu child oi 
Ihe puuuon (^.in^(oJsn/). for arbiirary ti Bj’" dnd m' ii Modes. 

We know (fr = false orX = 0 from Le*p. p01 Inca&e false, we easily &ee ibai 

*c(l-BS'«(e^./nJ(C».X))= falsa . 


lo ease X = (t, similarly 




□ 




